.\" $Id: ike-scan.1,v 1.1.1.1 2005/01/13 18:44:53 mcr Exp $
.TH IKE-SCAN 1 "December 5, 2004"
.\" Please adjust this date whenever revising the manpage.
.SH NAME
ike-scan \- Discover and fingerprint IKE hosts (IPsec VPN servers)
.SH SYNOPSIS
.B ike-scan
.RI [ options ] " " [ hosts ...]
.PP
Target hosts must be specified on the command line unless the
.B --file
option is specified.
.SH DESCRIPTION
.B ike-scan
discovers IKE hosts and can also fingerprint them using the
retransmission backoff pattern.
.PP
.B ike-scan
does two things:
.IP 1)
Discovery: Determine which hosts are running IKE.
This is done by displaying those hosts which respond to the IKE requests
sent by
.B ike-scan.
.IP 2)
Fingerprinting: Determine which IKE implementation the hosts are using.
There are several ways to do this: (a) Backoff fingerprinting - recording
the times of the IKE response packets from the target hosts and comparing
the observed retransmission backoff pattern against known patterns; (b) vendor
id fingerprinting - matching the vendor-specific vendor IDs against known
vendor ID patterns; and (c) proprietary notify message codes.
.PP
The retransmission backoff fingerprinting concept is discussed in more
detail in the UDP backoff fingerprinting paper which should be included
in the ike-scan kit as
.I udp-backoff-fingerprinting-paper.txt.
.PP
The program sends IKE Phase-1 requests to the specified hosts and displays
any responses that are received.  It handles retry and retransmission with
backoff to cope with packet loss.  It also limits the amount of bandwidth
used by the outbound IKE packets.
.PP
IKE is the Internet Key Exchange protocol which is the key exchange and
authentication mechanism used by IPsec.  Just about all modern VPN systems
implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange.
.PP
Phase-1 has two modes: Main Mode and Aggressive Mode.  ike-scan supports both
Main and Aggressive mode, and uses Main Mode by default.  RFC 2409 (IKE)
section 5 specifies that main mode must be implemented, therefore all IKE
implementations can be expected to support main mode.
.SH OPTIONS
.TP
.B --help or -h
Display this usage message and exit.
.TP
.B --file=<fn> or -f <fn>
Read hostnames or addresses from the specified file
instead of from the command line. One name or IP
address per line.  Use "-" for standard input.
.TP
.B --sport=<p> or -s <p>
Set UDP source port to <p>, default=500, 0=random.
Some IKE implementations require the client to use
UDP source port 500 and will not talk to other ports.
Note that superuser privileges are normally required
to use non-zero source ports below 1024.  Also only
one process on a system may bind to a given source port
at any one time.
.TP
.B --dport=<p> or -d <p>
Set UDP destination port to <p>, default=500.
UDP port 500 is the assigned port number for ISAKMP
and this is the port used by most if not all IKE
implementations.
.TP
.B --retry=<n> or -r <n>
Set total number of attempts per host to <n>,
default=3.
.TP
.B --timeout=<n> or -t <n>
Set initial per host timeout to <n> ms, default=500.
This timeout is for the first packet sent to each host.
subsequent timeouts are multiplied by the backoff
factor which is set with --backoff.
.TP
.B --interval=<n> or -i <n>
Set minimum packet interval to <n> ms, default=75.
This controls the outgoing bandwidth usage by limiting
the rate at which packets can be sent.  The packet
interval will be no smaller than this number.
The outgoing packets have a total size of 364 bytes
(20 bytes IP hdr + 8 bytes UDP hdr + 336 bytes data)
when the default transform set is used, or 112 bytes
if a custom transform is specified.  Therefore
for default transform set: 50=58240bps, 80=36400bps and
for custom transform: 15=59733bps, 30=35840bps.
.TP
.B --backoff=<b> or -b <b>
Set timeout backoff factor to <b>, default=1.50.
The per-host timeout is multiplied by this factor
after each timeout.  So, if the number of retrys
is 3, the initial per-host timeout is 500ms and the
backoff factor is 1.5, then the first timeout will be
500ms, the second 750ms and the third 1125ms.
.TP
.B --verbose or -v
Display verbose progress messages.
Use more than once for greater effect:
1 - Show when each pass is completed and when
packets with invalid cookies are received.
2 - Show each packet sent and received and when
hosts are removed from the list.
3 - Display the host, Vendor ID and backoff lists
before scanning starts.
.TP
.B --quiet or -q
Don't decode the returned packet.
This prints less protocol information so the
output lines are shorter.
.TP
.B --multiline or -M
Split the payload decode across multiple lines.
With this option, the decode for each payload is
printed on a seperate line starting with a TAB.
This option makes the output easier to read, especially
when there are many payloads.
.TP
.B --lifetime=<s> or -l <s>
Set IKE lifetime to <s> seconds, default=28800.
RFC 2407 specifies 28800 as the default, but some
implementations may require different values.
If you specify 0, then no lifetime will be specified.
You can use this option more than once in conjunction
with the --trans options to produce multiple transform
payloads with different lifetimes.  Each --trans option
will use the previously specified lifetime value.
.TP
.B --lifesize=<s> or -z <s>
Set IKE lifesize to <s> Kilobytes, default=0.
If you specify 0, then no lifesize will be specified.
You can use this option more than once in conjunction
with the --trans options to produce multiple transform
payloads with different lifesizes.  Each --trans option
will use the previously specified lifesize value.
.TP
.B --auth=<n> or -m <n>
Set auth. method to <n>, default=1 (pre-shared key).
RFC defined values are 1 to 5.  See RFC 2409 Appendix A.
Checkpoint hybrid mode is 64221.
GSS (Windows "Kerberos") is 65001.
XAUTH uses 65001 to 65010.
.TP
.B --version or -V
Display program version and exit.
.TP
.B --vendor=<v> or -e <v>
Set vendor id string to hex value <v>.
You can use this option more than once to send
multiple vendor ID payloads.
.TP
.B --trans=<t> or -a <t>
Use custom transform <t> instead of default set.
<t> is specified as enc[/len],hash,auth,group.
Where enc is the encryption algorithm,
len is the key length for variable length ciphers,
hash is the hash algorithm, and group is the DH Group.
See RFC 2409 Appendix A for details of which values
to use.  For example, --trans=5,2,1,2 specifies
Enc=3DES-CBC, Hash=SHA1, Auth=shared key, DH Group=2
and --trans=7/256,1,1,5 specifies
Enc=AES-256, Hash=MD5, Auth=shared key, DH Group=5
You can use this option more than once to send
an arbitary number of custom transforms.
.TP
.B --showbackoff[=<n>] or -o[<n>]
Display the backoff fingerprint table.
Display the backoff table to fingerprint the IKE
implementation on the remote hosts.
The optional argument specifies time to wait in seconds
after receiving the last packet, default=60.
If you are using the short form of the option (-o)
then the value must immediately follow the option
letter with no spaces, e.g. -o25 not -o 25.
.TP
.B --fuzz=<n> or -u <n>
Set pattern matching fuzz to <n> ms, default=100.
This sets the maximum acceptable difference between
the observed backoff times and the reference times in
the backoff patterns file.  Larger values allow for
higher variance but also increase the risk of
false positive identifications.
Any per-pattern-entry fuzz specifications in the
patterns file will override the value set here.
.TP
.B --patterns=<f> or -p <f>
Use IKE patterns file <f>, default=/usr/local/share/ike-scan/ike-backoff-patterns.
This specifies the name of the file containing
IKE backoff patterns.  This file is only used when
--showbackoff is specified.
.TP
.B --vidpatterns=<f> or -I <f>
Use Vendor ID patterns file <f>, default=/usr/local/share/ike-scan/ike-vendor-ids.
This specifies the name of the file containing
Vendor ID patterns.  These patterns are used for
Vendor ID fingerprinting.
.TP
.B --aggressive or -A
Use IKE Aggressive Mode (The default is Main Mode)
If you specify --aggressive, then you may also
specify --dhgroup, --id and --idtype.  If you use
custom transforms with aggressive mode with the --trans
option, note that all transforms should have the same
DH Group and this should match the group specified
with --dhgroup or the default if --dhgroup is not used.
.TP
.B --id=<id> or -n <id>
Use <id> as the identification value.
This option is only applicable to Aggressive Mode.
<id> can be specified as a string, e.g. --id=test or as
a hex value with a leading "0x", e.g. --id=0xdeadbeef.
.TP
.B --idtype=n or -y n
Use identification type <n>.  Default 3 (ID_USER_FQDN).
This option is only applicable to Aggressive Mode.
See RFC 2407 4.6.2 for details of Identification types.
.TP
.B --dhgroup=n or -g n
Use Diffie Hellman Group <n>.  Default 2.
This option is only applicable to Aggressive Mode where
it is used to determine the size of the key exchange
payload.
Acceptable values are 1,2,5,14,15,16,17,18 (MODP only).
.TP
.B --gssid=<n> or -G <n>
Use GSS ID <n> where <n> is a hex string.
This uses transform attribute type 16384 as specified
in draft-ietf-ipsec-isakmp-gss-auth-07.txt, although
Windows-2000 has been observed to use 32001 as well.
For Windows 2000, you'll need to use --auth=65001 to
specify Kerberos (GSS) authentication.
.TP
.B --random or -R
Randomise the host list.
This option randomises the order of the hosts in the
host list, so the IKE probes are sent to the hosts in
a random order.  It uses the Knuth shuffle algorithm.
.TP
.B --tcp[=n] or -T[n]
Use TCP transport instead of UDP.
This allows you to test a host running IKE over TCP.
You won't normally need this option because the vast
majority of IPsec systems only support IKE over UDP.
The optional value <n> specifies the type of IKE over
TCP.  There are currently two possible values:
1 = RAW IKE over TCP as used by Checkpoint (default);
2 = Encapsulated IKE over TCP as used by Cisco.
If you are using the short form of the option (-T)
then the value must immediately follow the option
letter with no spaces, e.g. -T2 not -T 2.
You can only specify a single target host if you use
this option.
.TP
.B --tcptimeout=n or -O n
Set TCP connect timeout to n seconds (default=10).
This is only applicable to TCP transport mode.
.TP
.B --pskcrack[=f] or -P[f]
Crack aggressive mode pre-shared keys.
This option outputs the aggressive mode pre-shared key
(PSK) parameters for offline cracking using the
"psk-crack" program that is supplied with ike-scan.
You can optionally specify a filename, "f", to write
the PSK parameters to.  If you do not specify a filename
then the PSK parameters are written to standard output.
If you are using the short form of the option (-P)
then the value must immediately follow the option
letter with no spaces, e.g. -Pfile not -P file.
You can only specify a single target host if you use
this option.
This option is only applicable to IKE aggressive mode.
.TP
.B --nodns or -N
Do not use DNS to resolve names.
If you use this option, then all hosts must be
specified as IP addresses.
.SH FILES
.TP
.I /usr/local/share/ike-scan/ike-backoff-patterns
List of UDP backoff patterns.  Used when the --showbackoff option is
specified.
.TP
.I /usr/local/share/ike-scan/ike-vendor-ids
List of known Vendor ID patterns.
.SH AUTHOR
Roy Hills <Roy.Hills@nta-monitor.com>
